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DETAILED ACTION 

1 . Applicant remarks and amendment received on 3/07/08 have been entered. 

Response to Amendment 

2. Applicant arguments have been carefully considered. 

3. The amendment to the specification is accepted. 

4. In light of applicant's arguments and amendments objections to drawings and 35 
U.S.C. 112, second paragraph rejections are withdrawn. For example, in order to 
address the term "IKE traffic" rejected under the 35 U.S.C. 112, second paragraph 
rejection in the previous Office Action, applicant amended the claim language: "... 
wherein the IKE traffic is traffic using IKE protocols." Thus, clearly, the filtering 
mechanism as cited in the newly amended claim language: 

"... allowing IKE traffic from outside the VPN to flow into the VPN if the IKE traffic permit filters are 
not detected: ... wherein the IKE traffic is traffic using IKE protocols". 

is directed towards the traffic during key establishment (since the IKE is necessary 
to establish VPN and only non-VPN traffic that utilizes IKE protocol is traffic initiating 
the VPN or, in other words, establishes key for VPN data exchange) 
Response to Arguments 

5. Applicant's argument have been directed towards the newly introduced limitation. 
These arguments/new limitations are addressed in this Office Action, below. 

Claim Rejections - 35 USC §112 

The following is a quotation of the second paragraph of 35 U.S.C. 112: 
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The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

6. Claims 2, 9 and 20 rejected under 35 U.S.C. 112, second paragraph, as failing to set 
forth the subject matter which applicant(s) regard as their invention. 

7. The limitation "... searches for IKE traffic permit filters on a first node within the VPN" 
is not understood. VPN is an abstract concept (VPN stands for a 9-1 1 , 13-27 and 
30-31 Virtual Private Network, that could be implemented on a computer using 
software, for example), wherein a node is a computer. In other words the limitation 
"VPN within/on a first node" would make sense while "a first node within VPN" 
would not. For purpose of further examination, the limitation is treated as suggesting 
a node having a VPN and IKE traffic permit filters". 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

8. Claims 1-4, 7-8 and 9-11, 13-27 and 30-31 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Jason (USPN 6636520) in view Zhou (J. Zhou, "Further 
analysis of the Internet key exchange protocol", Computer Communications, Volume 
23, Issue 17, 11/1/2000) and further in view of Pfleeger (Charles P. Pfleeger, 



"Security in computing", 2nd edition, 1996, ISBN: 0133374866). 
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As per claim 1, Jason (USPN 6636520) discloses a virtual private network (VPN1 
also referred to as T1) that enables a second VPN traffic (VPN2/T2, see Jason, Fig. 
2 and associated text). 

9. Jason does not disclose that the T2 uses IKE protocols. 

Zhou discloses the use of IKE protocols (e.g. Zhou, "1 . Introduction" and "2. IKE 
protocol"). It would have been obvious to an ordinary artisan to configure 12 
disclosed by Jason to use IKE protocols given the benefit of security. 
12 using IKE protocols equate to IKE traffic. 

10. Jason discloses that T1 is established prior to 12; thus, IKE traffic from outside the 
VPN flows into the VPN. Establishing T1 prior to 12 evidences that VPN connection 
precedes an IKE traffic management through VPN. 

1 1 Jason in view of Zhu disclose a first node within the VPN (e.g. 204 or 206) but is 
silent in regard to the node using a filter detection system for searching for IKE traffic 
permit filters. 

Pfleeger discloses a filter detection system for searching IKE traffic permit filters 
(firewalls such as screening routers or proxy gateways, Pfleeger pg. 429-431). 
It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to employ a filter detection system for searching IKE traffic permit filters on 
a first node as taught by Pfleeger given the benefit of enable only authorized traffic. 
12. Lastly, IKE traffic is freely allowed (either from 202 to 206 or from 206 to 202) in 
Jason in view of Zhou's invention. In other words, IKE traffic permit filters are not 
detected and IKE traffic is allowed to automatically through the VPN, which would 
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equate to "automatically allowing IKE traffic from outside the VPN to flow into the 
VPN if the IKE traffic permit filters are not detected". 

13. As per claim 3, node 206 equates to a second/remote node. (Note that for the 
purpose of claim 3, nodes 208 and/or 210 also read on a second node.) 

14. As per claim 4, IKE traffic as discussed by Jason in view of Zhu's invention, used to 
establishes tunnel T2, thus establishes security associations for a VPN connection 
between the first node and the second node. 

15. As per claim 7, a traffic management system implementing IKE traffic must have 
entries that identify the connection between nodes, IP address of connected nodes 
and security associations for the VPN connections; otherwise communicate traffic 
between these nodes would not be possible. Even if, somehow, implementing the 
traffic without these entries, using entries that identify the connection between nodes 
(e.g. a port) IP address of connected nodes and security associations is old and well 
known in the art of computer networking (e.g. Proxys, VPNs etc.), and including 
them would have been an obvious variation given the benefit of correct data 
communication. Also, given the fact that it is old and well known in the art that 
tables are used to store information (e.g. ACL, DNS entries etc.) it would have been 
obvious to one of ordinary skill in the art at the time of applicant's invention to 
employ tables to store the IKE traffic entries for motivation of a quick access to the 
information. Additionally, as per claim 8, tunnel T1 and T2 equate to a nested VPN 
connections. 
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1 6. Claims 9-11,1 3-27 and 30-31 are substantially equivalent to claims 2-8; therefore 
claims 9-11, 13-27 and 30-31 are similarly rejected. 

17. Claims 5-6, 12 and 28-29 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Jason (USPN 6636520) in view Zhou (J. Zhou, "Further analysis 
of the Internet key exchange protocol", Computer Communications, Volume 23, 
Issue 17, 1 1/1/2000) and Pfleeger (Charles P. Pfleeger, "Security in computing", 2nd 
edition, 1996, ISBN: 0133374866), and further in view Noehring (USPUB 
2002/0188871). 

18. Jason in view of Zhou and Pfleeger teach the first and the second node and the IKE 
traffic enablement system for automatically allowing IKE traffic from outside the VPN 
to flow into the VPN as discussed above. 

19. Jason in view of Zhou and Pfleeger do not teach the IKE traffic enablement system 
allowing refreshing IKE traffic (used to refresh security association) to flow between 
the first node and the second node. 

20. Noehring discloses an IKE traffic enablement system allowing refreshing IKE traffic 
(used to refresh security association) to flow between the first node and the second 
node (Noehrin, col. 15, claims 7-8, for example). It would have been obvious to one 
of ordinary skill in the art at the time of applicant's invention to enable the IKE traffic 
enablement system to refreshing IKE traffic (used to refresh security association) to 
flow between the first node and the second node as taught by Noehring given the 
benefit of maintained connection after the expiration of the security associations. 
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Note that IKE is used to establish a tunnel (VPN connection) between the first and 
the second node. 

Conclusion 

The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure: 

Moshfeghi (USPN 6476833). 

Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Peter Poltorak whose telephone number is (571 ) 272- 
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3840. The examiner can normally be reached Monday through Thursday from 9:00 
a.m. to 4:00 p.m. and alternate Fridays from 9:00 a.m. to 3:30 p.m. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kambiz Zand can be reached on (571 ) 272-381 1 . The fax phone number 
for the organization where this application or proceeding is assigned is (571) 273-8300. 
Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published 
applications may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through Private PAIR only. For 
more information about the PAIR system, see http://pair-direct.uspto.gov. Should you 
have questions on access to the Private PAIR system, contact the Electronic Business 
Center (EBC) at 866-217-9197 (toll-free). 
/Peter Poltorak/ 
Examiner, Art Unit 2134 
/Kambiz Zand/ 

Supervisory Patent Examiner, Art Unit 2134 



